Web Application Security and Your Website

In a recent interview with SC Magazine, Sergey Gordeychik, a contributor for the international standards group Web Application Security Consortium (WASC), explained that web application security problems have grown significantly over the past few years and that most web applications today are vulnerable.

The blame, according to Gordeychk, falls on the fact that security requirements often are not considered in the system design of web applications, making it hard to eliminate vulnerabilities. Attackers can easily detect these bugs with very little effort by using automated scanners.

But just how large is the threat? According to some, web applications account for over 70 percent of known vulnerabilities. Unfortunately, when people see these numbers they assume that we are talking about large scale proprietary applications deployed on corporate web site. What the average person forgets, or isn’t even aware of, is that solutions like WordPress, Drupal, and Joomla! are all web applications.

While hosting providers often make it easy for their customers to deploy these applications with script installers like Fantastico or SimpleScripts, the person who installs the application is often unaware to the vulnerabilities that exist.

Common Security Vulnerabilities

So what types of vulnerabilities exist in common web applications? Two of the most common found by researchers are:

SQL injection attacks – where the language that runs the database queries is exploited by injecting unauthorized commands into the Web form input box taking advantage of insecure code bypassing the firewall. When this exploit is successful, the attacker gains access to the database where they can steal data like user accounts or even modify data to falsify orders or escalate the privileges of a user account.

Cross-site scripting – where the attacker exploits a vulnerability that allows them to inject malicious code into a web site that tricks visitors into clicking a link that may collect data entered by the victim, such as a credit card number or password, or the link may steal the victim’s cookie allowing the attacker to recreate the victim’s session id to highjack their browser session.

As the owner of a web site, these threats pose a significant problem. After exploiting these vulnerabilities, attackers are able to steal data from your visitors, modify data, deface your web sites, escalate user privileges, and many other illicit activities. In addition to the damage these attacks can cause to the visitors and registered users of your site, as a company your reputation can take a serious decline with existing clients, potential clients, and the search engines. All of the hard work that went into building a successful online presence can be dismantled as a result of just one attack.

Proactive Application Security

To protect against such threats, the WASC recommends the use of a Web Application Firewall to mitigate many of the vulnerabilities that exist in today’s web applications. Web application firewalls perform a deep inspection of data packets transferred between the server and the browser so they are capable of preventing attacks that network firewalls and intrusion detection systems can’t.

Netcetera has recently partnered with Applicure to deploy web application Security as a Service through their dotDefender web application firewall. In doing so, we are able to provide all Netcetera customers with a way to stop potential exploits at the gate – before they reach the web application. To read more about this new Netcetera service, please visit: